Google Declares War on the Password

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Have you noticed how devices like this sound great in theory but, once you add human nature into the mix (the real weak link) they immediately get lost, stolen, left in the USB ports, so on and so forth. ;)

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be. Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.
 
They need a device which reads eye and fingerprint simultaneously and perhaps voice recognition as an additional layer. Toe jam analyzer for maximum securitah.
 
Great in theory, until you want to log into a website on your tablet or phone. Or you break this card. Or lose it. Or forget it at home. Or your dog eats it.
 
Master password for a file where you keep track of all your passwords anyone?
 
So it's like those stupid annoying DRM key things you get with professional software, for a web browser...
 
Here is a silly thought I know, but bear with me. How about we teach people to create easy to remember but difficult to crack passwords and IT "Professionals" to stop using retarded password requirements instead?

Examples -

DF$#45leun - This is an example of a password that is just about impossible for the average user to remember and it is what adheres to standard password policy. This password also is pathetically easy for a small script to crack.

Iwenttothestoreforbreadeggsandbutter - This password on the other hand is almost stupidly easy for the average user to remember and would be virtually impossible to crack.

The password isn't the problem, the problem is IT "Professionals" with dumb password rules and the fact that we have taught people to create passwords they will never remember.
 
They need a device which reads eye and fingerprint simultaneously and perhaps voice recognition as an additional layer. Toe jam analyzer for maximum securitah.

There are many biometric devices like this. I've developed quite a few.
 
The most secure system uses both something you have (a physical device) and something you know (password or other type thingy). For example, for my secure work login, i have a smartcard that encrypts everything done on that session, and to activate it, the card has to be in the reader, and i have to enter a PIN. The card without the PIN is useless, as is the PIN without the card.

I would love to see a read only USB type device for more secure logins, but that would still require you to enter a password or code. The best of both worlds, as you could use a simpler and easier to remember password, and the physical device would be useless unless they could somehow get the password or activation code.

And biometrics are not as secure as people think. I've seen a fingerprint scanner subverted with a simple "man in the middle" device plugged in between the reader and the USB port. Go go gadget fundamentally unsecure. Of course, people have been doing that with keystroke recorders on keyboards for a long time for password theft.

If the bad guy can get physical access to the machine, it is pretty much unsecure, without some serious hardware modifications.
 
Passwords work very well if they are long enough. The problem is the humans using them, not the passwords themselves. This problem has to be approached first and primarily from a human perspective, not a technical one.

In the meantime the best thing to do personally is use every character they let you use. Also, especially for shorter passwords, consider using a pattern based password rather than an arbitrary one. It is easier for the human mind to remember a pattern than it is to remember unrelated characters, but the fact that it is a pattern doesn't help computers to crack the password at all.

Simple Pattern example for an 8 character password:

xSw@3EdC

It looks complex and it is about as hard as any 8 character password gets for a computer to crack. However, it is wicked simple to remember. The best part is that extending the pattern to 12, 16, 20, 24, or even 28 characters makes it no harder to remember at all.
 
It would be awesome if they let military and DA civilians use their already existing CAC to log in. Though I'm sure the DoD wouldn't like them to be holding onto our certs for it, hah.
 
Iwenttothestoreforbreadeggsandbutter - This password on the other hand is almost stupidly easy for the average user to remember and would be virtually impossible to crack.
Very true. I build boxes now, but sometimes I do put in tickets for people. I'm thinking...

girlyouknowitstrueoooooooiloveyou@4:30PM

How's that? :D
 
DF$#45leun - This is an example of a password that is just about impossible for the average user to remember and it is what adheres to standard password policy. This password also is pathetically easy for a small script to crack.

WTF are you talking about? It would take a desktop PC over 50 years to crack that password. A serious supercomputer will do it in a much more reasonable time, but hackers don't tend to have supercomputers.

Don't get me wrong, I advocate longer over more complex, but frequently that is not an option, and a complex 9 character password is still pretty effective right now when your length is limited by the security software. Also, as I mentioned, a pattern based password lets you make one that is long, complex, and easy to remember, all at the same time.
 
This probably isn't accurate, but its fun to play around with: http://howsecureismypassword.net/

my most used password:

74b4a43065351bb41ac27496576eeda9


i wonder if it's even remotely accurate
 
[double post]

i should probably say that my password follows this format:

Laildaz7tyz&
 
Smartcards already exist for this purpose and are far more secure.

As a keyboard device, the Yubikey is susceptible to keyloggers.
 
DF$#45leun - This is an example of a password that is just about impossible for the average user to remember and it is what adheres to standard password policy. This password also is pathetically easy for a small script to crack.
What are you talking about? That is a very secure password. Put the crack pipe down.
 
It would be awesome if they let military and DA civilians use their already existing CAC to log in. Though I'm sure the DoD wouldn't like them to be holding onto our certs for it, hah.

Is it even possible to use your CAC to login to a home computer? The only thing I can do is access the Air Force Portal and my OWA mail.

Two-factor or three-factor authentication would be a great way to get rid of passwords, but how do you implement that on a mass scale and not make people think it's invading their privacy?
 
What are you talking about? That is a very secure password. Put the crack pipe down.

It's secure as long as no one has direct access to run hashcat or similar on it. If someone had the resources it would last around a week. It's still is kind of expensive but it's getting cheaper all the time.
 
It'd be a huge benefit for Google to tie you to a specific piece of hardware. They could bind your usage and metrics monitoring to a single device that would allow them to collect data on you much more effectively and with greater assurance they're actually monitoring the same person at all times. Using paranoia about password security to scare people into incorporating such a thingey into their lives could be hugely profitable for them and, just like with Android phones, make people actually ask for the device by name. There's nothing better than having people ask you to build a hollow wooden horse for your city instead of leaving it at the gate and hoping they'll be stupid enough to drag it inside.
 
Back
Top